Blog

Live Data Forensics - or - Why volatile data can be crucial for your cases

Дата на публикуване
13-4-30 17:51

As I mentioned in my first blog post Digital Forensics can be the driving force in your cases. While in typical investigations evidence found on digital devices may only have a supportive character strengthening other traditional evidence, there are also cases where digital evidence may be the only proof of guilt or innocence. That is why it is crucial to seize and analyse electronic evidence according to the standard operation procedures (SOP) of your legislation and/or department. If there are no such SOPs in place or you want to test your procedures against international standards you might want to take a look at the Electronic Evidence Guide, published just recently by the Council of Europe. In this guide which can serve as a template to be adopted and customised by your department the topic "Live Data Forensics" plays an important part. In the following paragraphs you will see why this sub-branch of Digital Forensics is becoming more and more important any why Volatile Data can be crucial for your cases.

What is Live Data Forensics?

Live data forensics is one part of computer forensics which is a branch of digital forensic science pertaining to legal evidence found in computers. Computer forensics deals with the examination of computer systems in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts that might become evidence in a trial. Live data forensics follows this aim but is only focused on computer systems that are powered on. The main purpose is to acquire volatile data that would otherwise get lost if the computer system is turned off or would be overwritten if the computer system will stay turned on for a longer period.

What are Volatile Data?

Volatile Data are data that are digitally stored in a way that the probability is very high for their contents to get deleted, overwritten or altered in a short amount of time by human or automated interaction.

There are different kinds of volatile data that the investigator needs to know and to distinguish:

Transient Data that are not volatile in their nature but are only accessible on scene. Encrypted volumes as well as remote resources are examples for this kind of data. The characteristic of these data is that the contents of the data might get inaccessible, altered or deleted after the search, if the investigator might not be able to acquire them.

Why is Live Data Forensics becoming more and more important?

As the amount of Random Access Memory (RAM) is constantly raising in modern computer systems and the 64-bit operating systems use the whole array of this quick storage to cache and serve data more quickly the possibility of evidence being stored in this area is very high. RAM contents are fading very quickly as soon as the investigator cuts the power supply from a machine unless they are treated in a special way (e.g. Cold Boot Attack). In times where more and more data get stored either temporarely in RAM (think of e.g. private browsing modes) or remotely (think of cloud services) or the operating system does not store any data on the hard drive at all (think of Live DVDs) all these data would get lost without Live Data Forensics techniques.

Why can Volatile Data can be crucial for your cases?

If the suspect of your case stored the evidential documents on a cloud storage, if he used encrypted containers or even full disk encryption or if he used techniques to overwrite his traces on the physical hard disk you can still get information from Volatile Data. Encryption be sometimes be beaten by extracting the encryption key from RAM, cloud storage can be detected and acquired while the machine is still running and unsaved or even physically overwritten data might still have left traces in RAM.

All this data will get lost if Live Data Forensics is not performed while the computer system is running. This makes well-defined SOPs, professional training and preparation of specialists imperative.